diff options
author | Christopher Speller <crspeller@gmail.com> | 2017-03-13 12:54:22 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-03-13 12:54:22 -0400 |
commit | c281ee3b61e8ab53ff118866d72618ae8cce582b (patch) | |
tree | 776e7bdf6c8bfbb9a1dee5976496ab065959991f /vendor/github.com/lib/pq/ssl.go | |
parent | 3ada7a41a7fb13abef19dd63dc56b720900dbaa9 (diff) | |
download | chat-c281ee3b61e8ab53ff118866d72618ae8cce582b.tar.gz chat-c281ee3b61e8ab53ff118866d72618ae8cce582b.tar.bz2 chat-c281ee3b61e8ab53ff118866d72618ae8cce582b.zip |
Updating server dependancies. Also adding github.com/jaytaylor/html2text and gopkg.in/gomail.v2 (#5748)
Diffstat (limited to 'vendor/github.com/lib/pq/ssl.go')
-rw-r--r-- | vendor/github.com/lib/pq/ssl.go | 119 |
1 files changed, 51 insertions, 68 deletions
diff --git a/vendor/github.com/lib/pq/ssl.go b/vendor/github.com/lib/pq/ssl.go index b282ebd92..7deb30436 100644 --- a/vendor/github.com/lib/pq/ssl.go +++ b/vendor/github.com/lib/pq/ssl.go @@ -15,7 +15,7 @@ import ( func ssl(o values) func(net.Conn) net.Conn { verifyCaOnly := false tlsConf := tls.Config{} - switch mode := o.Get("sslmode"); mode { + switch mode := o["sslmode"]; mode { // "require" is the default. case "", "require": // We must skip TLS's own verification since it requires full @@ -23,15 +23,19 @@ func ssl(o values) func(net.Conn) net.Conn { tlsConf.InsecureSkipVerify = true // From http://www.postgresql.org/docs/current/static/libpq-ssl.html: - // Note: For backwards compatibility with earlier versions of PostgreSQL, if a - // root CA file exists, the behavior of sslmode=require will be the same as - // that of verify-ca, meaning the server certificate is validated against the - // CA. Relying on this behavior is discouraged, and applications that need - // certificate validation should always use verify-ca or verify-full. - if _, err := os.Stat(o.Get("sslrootcert")); err == nil { - verifyCaOnly = true - } else { - o.Set("sslrootcert", "") + // + // Note: For backwards compatibility with earlier versions of + // PostgreSQL, if a root CA file exists, the behavior of + // sslmode=require will be the same as that of verify-ca, meaning the + // server certificate is validated against the CA. Relying on this + // behavior is discouraged, and applications that need certificate + // validation should always use verify-ca or verify-full. + if sslrootcert, ok := o["sslrootcert"]; ok { + if _, err := os.Stat(sslrootcert); err == nil { + verifyCaOnly = true + } else { + delete(o, "sslrootcert") + } } case "verify-ca": // We must skip TLS's own verification since it requires full @@ -39,7 +43,7 @@ func ssl(o values) func(net.Conn) net.Conn { tlsConf.InsecureSkipVerify = true verifyCaOnly = true case "verify-full": - tlsConf.ServerName = o.Get("host") + tlsConf.ServerName = o["host"] case "disable": return nil default: @@ -64,38 +68,43 @@ func ssl(o values) func(net.Conn) net.Conn { // in the user's home directory. The configured files must exist and have // the correct permissions. func sslClientCertificates(tlsConf *tls.Config, o values) { - sslkey := o.Get("sslkey") - sslcert := o.Get("sslcert") - - var cinfo, kinfo os.FileInfo - var err error + // user.Current() might fail when cross-compiling. We have to ignore the + // error and continue without home directory defaults, since we wouldn't + // know from where to load them. + user, _ := user.Current() + + // In libpq, the client certificate is only loaded if the setting is not blank. + // + // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1036-L1037 + sslcert := o["sslcert"] + if len(sslcert) == 0 && user != nil { + sslcert = filepath.Join(user.HomeDir, ".postgresql", "postgresql.crt") + } + // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1045 + if len(sslcert) == 0 { + return + } + // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1050:L1054 + if _, err := os.Stat(sslcert); os.IsNotExist(err) { + return + } else if err != nil { + panic(err) + } - if sslcert != "" && sslkey != "" { - // Check that both files exist. Note that we don't do any more extensive - // checks than this (such as checking that the paths aren't directories); - // LoadX509KeyPair() will take care of the rest. - cinfo, err = os.Stat(sslcert) - if err != nil { - panic(err) - } + // In libpq, the ssl key is only loaded if the setting is not blank. + // + // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1123-L1222 + sslkey := o["sslkey"] + if len(sslkey) == 0 && user != nil { + sslkey = filepath.Join(user.HomeDir, ".postgresql", "postgresql.key") + } - kinfo, err = os.Stat(sslkey) - if err != nil { + if len(sslkey) > 0 { + if err := sslKeyPermissions(sslkey); err != nil { panic(err) } - } else { - // Automatically find certificates from ~/.postgresql - sslcert, sslkey, cinfo, kinfo = sslHomeCertificates() - - if cinfo == nil || kinfo == nil { - // No certificates to load - return - } } - // The files must also have the correct permissions - sslCertificatePermissions(cinfo, kinfo) - cert, err := tls.LoadX509KeyPair(sslcert, sslkey) if err != nil { panic(err) @@ -105,7 +114,10 @@ func sslClientCertificates(tlsConf *tls.Config, o values) { // sslCertificateAuthority adds the RootCA specified in the "sslrootcert" setting. func sslCertificateAuthority(tlsConf *tls.Config, o values) { - if sslrootcert := o.Get("sslrootcert"); sslrootcert != "" { + // In libpq, the root certificate is only loaded if the setting is not blank. + // + // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L950-L951 + if sslrootcert := o["sslrootcert"]; len(sslrootcert) > 0 { tlsConf.RootCAs = x509.NewCertPool() cert, err := ioutil.ReadFile(sslrootcert) @@ -113,41 +125,12 @@ func sslCertificateAuthority(tlsConf *tls.Config, o values) { panic(err) } - ok := tlsConf.RootCAs.AppendCertsFromPEM(cert) - if !ok { + if !tlsConf.RootCAs.AppendCertsFromPEM(cert) { errorf("couldn't parse pem in sslrootcert") } } } -// sslHomeCertificates returns the path and stats of certificates in the current -// user's home directory. -func sslHomeCertificates() (cert, key string, cinfo, kinfo os.FileInfo) { - user, err := user.Current() - - if err != nil { - // user.Current() might fail when cross-compiling. We have to ignore the - // error and continue without client certificates, since we wouldn't know - // from where to load them. - return - } - - cert = filepath.Join(user.HomeDir, ".postgresql", "postgresql.crt") - key = filepath.Join(user.HomeDir, ".postgresql", "postgresql.key") - - cinfo, err = os.Stat(cert) - if err != nil { - cinfo = nil - } - - kinfo, err = os.Stat(key) - if err != nil { - kinfo = nil - } - - return -} - // sslVerifyCertificateAuthority carries out a TLS handshake to the server and // verifies the presented certificate against the CA, i.e. the one specified in // sslrootcert or the system CA if sslrootcert was not specified. |